Bug 1384136 - RFE: running httpd as a non-root user
Summary: RFE: running httpd as a non-root user
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Luboš Uhliarik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-12 15:58 UTC by Joe Orton
Modified: 2017-03-22 13:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug

Attachments (Terms of Use)
runuser.sh (693 bytes, text/plain)
2016-10-12 15:59 UTC, Joe Orton 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Joe Orton 2016-10-12 15:58:34 UTC 
Description of problem:
RFE from Dan to make it possible to install httpd in such a way where users can run it easily.

I am sure exactly how we should integrate this into Fedora httpd.  Basically you need a slightly different /etc/httpd tree.  The following seems to be sufficient from an untouched httpd install.  (More work required e.g. for mod_ssl config)

#!/bin/sh
rm -rf $XDG_RUNTIME_DIR/httpd
mkdir $XDG_RUNTIME_DIR/httpd \
      $XDG_RUNTIME_DIR/httpd/logs \
      $XDG_RUNTIME_DIR/httpd/conf \
      $XDG_RUNTIME_DIR/httpd/conf.d
ln -s /etc/httpd/conf.modules.d $XDG_RUNTIME_DIR/httpd/conf.modules.d
ln -s /etc/httpd/modules $XDG_RUNTIME_DIR/httpd/modules
ln -s /etc/httpd/conf/magic $XDG_RUNTIME_DIR/httpd/conf/magic
sed 's/Listen 80/Listen 8080/;/^ServerRoot/d' \
    < /etc/httpd/conf/httpd.conf > $XDG_RUNTIME_DIR/httpd/conf/httpd.conf
echo 'PIDFile httpd.pid' >> $XDG_RUNTIME_DIR/httpd/conf/httpd.conf
echo "DefaultRuntimeDir $XDG_RUNTIME_DIR/httpd" >> $XDG_RUNTIME_DIR/httpd/conf/httpd.conf
exec /usr/sbin/httpd -d $XDG_RUNTIME_DIR/httpd
Comment 1 Joe Orton 2016-10-12 15:59:09 UTC 
Created attachment 1209666 [details]
runuser.sh
Comment 2 Joe Orton 2016-10-12 16:13:48 UTC 
There is a small set of non-invasive things we can do to make it simpler/easier to run httpd as non-root, by removing from httpd.conf things which are - or should be - hard-coded defaults. Looking through above:

- ServerRoot can probably be removed from httpd.conf (default is /etc/httpd anyway)
- User & Group we could probably hard-code the default to "apache"
Comment 3 Joe Orton 2016-10-12 16:34:42 UTC 
Side note: Debian heavily "parameterize" their default apache2.conf with e.g.

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

I think that would be a backward direction for us, since it means httpd behaviour varies whether invoked as /usr/sbin/httpd or started via httpd.service - breaking principle of least surprise.  When I run e.g. "httpd -V" or "httpd -M" as root I don't want that to show something completely different to what httpd is actually running as.

https://www.google.co.uk/search?q=APACHE_RUN_USER+is+undefined
Comment 4 Fedora Admin XMLRPC Client 2016-10-17 10:42:16 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Note You need to log in before you can comment on or make changes to this bug.